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[57] ABSTRACT 

A data processing system stores and maintains a plurality of 
security levels for dynamically linked libraries. Upon load- 
ing of an application, and upon determination of which 
dynamically linked libraries are required by the application, 
the data processing system determines the predefined secu- 
rity level assigned to the application and loads dynamically 
linked libraries previously encoded with the predefined 
security level. 
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USER LEVEL CONTROL OF DEGREE OF One of the primaiy functions of the personality 301 is to 

CLIENT-SIDE PROCESSING ensure and enforce security within the data processing 

TCruMlrM n nc m IMVyNrnriM system 300, ie., it is desired that applications 103 and 104 

TECHNICAL HELD OF THE INVENTION m given a capabaity of ^p^g system 300 by 

The present invention relates in general to data processing 5 being able to affect the operation of each other, the person- 
systems and in particular, to a system and method for ality 301, the kernel 201, or the hardware 102. Security is 
determining a level of security for an application running in protecting data and control of one task from another (task 
the data processing system. here is the kernel, a personality, a personality neutral server, 
BACKGROUND OF THE INVENTION or an a PP uc ation). Corruption is one problem (accidentally 

10 or intentionally). Others problems are: setting a particular 

A data processing system typically includes a processor tasks > priority higher than Qther lasks ^ mat a expend- 

along with various other pieces of hardware, such as mg product (application) performs better than others, steal- 
memory, input means and output means. Without more, a ing privale inforraaUorjj and computer viruses. There are 
data processing system is not able to accomplish much. also overl and covert melhods of stealing information. An 
However, upon inclusion of an operating system, an appli- 15 example of an overt melhod ^ reading data mat belongs to 
cation program is able to manipulate various portions of the someone else and then simply using the data for your own 
hardware in order to accomplish a task. The operating gain ^ example of a covert method is delivering a library 
system ("OS") software is responsible for controlling the romiQe to a ^ where me Hbrary romine passes back the 
aUocation and usage of hardware resources such as the dollar value of one party's bid via a covert channel (varying 
memory, central processing unit, disk space, and peripheral 20 disk I/0 ^ lhe d^ic) t0 another task that records the 
devices. The operating system is the foundation on which information in an unprotected file so that one can later 
applications, such as word-processing and spreadsheet retfieve lhe value and ^ it to a competitor. Personalities 
programs, are built. Popular operating systems include present widely varying degrees of security: from DOS which 
MS-DOS, the Macintosh OS, OS/2, and UNIX. provides little security up to specialized OSs as used that 

Referring to FIG. 1, there is illustrated a block diagram of 2 s provide a highly secure environment by the military. Thus, 

a typical early development data processing system 100. a high security system would require that each application 

Memory space 101 was utilized to include the operating io 3> 104 g0 through the personality 301 for each and every 

system and various other software code to allow applications task affecting anything outside of itself. However, it is often 

103 and 104 to utilize hardware 102. desired to allow a particular application to have a capability 

Referring to FIG. 2, as the development of computers 30 of performing certain tasks without requiring the application 

evolved, data processing systems 200 were configured so to go through the personality 301, since having to pass 

that the original memory space 101 (see FIG. 1) was divided everything through the personality 301 places a burden upon 

into two sections by essentially "pushing down" the kernel personality 301 for its processing time, and it generally 

201 to a particular portion of the memory space 101. The slows up the operation of each application 103, 104, the 

kernel 201 is the core of an operating system, which 35 personality 301, and the entire system 300. 

manages memory, files, peripheral devices, maintains the there is a need m the ^ for a system and method 

time and date, launches applications, and allocates system for enabling var ying degrees of security within a data 

resources. The remainder 202 of the memory space 101 was processing system in a manner configurable by the user of 

left to include, among other things, software code for the data processing system . 

allocating the kernel 201 and the hardware 102 among 40 

various applications 103, 104. SUMMARY OF THE INVENTION 

Referring to FIG. 3, there is illustrated the next evolution 

in computers, wherein data processing system 300 includes ^ afore-mentioned need is satisfied by the present 

basically the same portions as shown in FIG. 2, except for invention which is for a system and method for enabling 

that those portions that resided within memory space 202 45 varying degrees of security within a data processing system 

have now been "separated" from the kernel 201 into a m a manner configurable by a user of the data processing 

personality 301 (alternatively an operating system or system. 

server). The personality 301 may be implemented with its la a preferred embodiment of the present invention, a data 
own separate hardware, or it may be merely separated in processing system stores a kernel and an operating system in 
software from the kernel 201. The personality 301 imple- 50 i ts memory, stores an application in the memory, and then 
ments the Application Programming Interface (API) set of stores a dynamically linked library having an associated 
an OS (in that the architecture of a piano is the keyboard, the predetermined security level in the memory wherein the 
architecture of an OS is its API set). So all the look and feel dynamically linked library is linked or coupled to the 
of an OS is presented by the personality 301 of the OS. The application program. The data processing system also pro- 
kernel 201 continues to include those portions of the oper- 55 vides a means for supporting the predetermined security 
ating system needed to allocate and manipulate the hardware level of the dynamically liked library, wherein the support - 
102, while the personality 301 includes software code for ing means is associated with the operating system, 
loading of applications, implementations of locks, high level During operation of the data processing system, a deter- 
file systems, memory management, inter-task/process/thread mination is made as to what is the desired security level for 
communication, graphics, device interfaces, scheduling 60 a particular application program to be loaded onto the 
control, access to controlled features (re-boot, set time of system. Upon loading of a particular application program, a 
day), control of other threads/tasks, contingency processing, determination is made of which dynamically linked libraries 
and real time functions (e.g. priority inheritance, are requested, or needed, by the application program. The 
preemption, thread yielding). The personality 301 corre- data processing system then searches for the requested 
sponds to the particular uniqueness of the operating system 65 dynamically linked libraries having the security level 
loaded onto the data processing system 300. For example, desired for the application program. These dynamically 
particular personalities are UNIX, OS/2, MS-DOS, etc. linked libraries are then loaded along with the application 
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program. If a particular security level has not been set for a ("DLL") are well-known in the art. A DLL is a collection of 

requested dynamically linked library, or if a particular routines stored in a file. Each set of instructions in a library 

dynamically linked library having a certain security level has a name, and each performs a different, often very 

cannot be found, a default dynamically linked library having specific, task, for example, the printfO function as part of the 

a default security level will then be loaded along with the 5 Standard C library and displays characters on the screen. 

application program. Such sets of instructions simplify work and prevent dupli- 

. , *i ■ j l i_ ji *u r ^ j cation of effort each lime a particular task need^ to be carried 

The foregoing has outlined rather broadly the features and . A r 

. . . ° & c . , . J . .... out. A programmer of an application can identify a library to 

technical advantages of the present invention in order that °. - t ..r r . . . J .. / 

...... r . - , r . . t . - „ . an apphcation, refer to hbrary routines in the application, 

the detailed description of the invention that follows may be , V . . J , . . . i 

. 14 , . . ajj-*- ,r h j j. * r.u m and nave the apphcation carry out the appropriate task 

better understood. Additional features and advantages of the 1U ... , . ... , . / -. \ .i_ - ; .t. 

..... , , . Ci , . . % . without having to write (or rewrite) the instructions them- 

invention will be described hereinafter which form the , , : r . v . . T AM AM 

, . - 1 . . . r.u • selves each time they are needed. Thus, DLLs 401, 402 

subject of the claims of the invention. M ,. : A ~ iA , # . , . 

J enable apphcations 103, 104, respectively, to carry out 

BRIEF DESCRIPTION OF THE DRAWING specific tasks without requiring assistance from server 301. 

15 DLL's present the complete API set as mentioned above. 

For a more complete understanding of the present The idea here is that one can vary how the APIs are 

invention, and the advantages thereof, reference is now performed (implemented). For example, in a very secure 

made to the following descriptions taken in conjunction with system, the DLL will almost always call the personality 301 

the accompanying drawings, in which: and in a low security the DLL might seldom call the 

FIG. 1 illustrates a typical early development data pro- 20 personality 301. Thus, in FIG. 4, application 104 has been 

cessing system; labeled as using a DLL 402 that implements "few" services 

FIG. 2 illustrates a data processing system where the (APIs) internally and thus requires (by implication) many 

kernel has been separated; messages to the personality 301. On the other hand, the DLL 

FIG. 3 illustrates a data processing system wherein a loaded for application 103 implements some services 

personality has been separated from the kernel; 25 Really and only requires (by imphcation) a few messages to 
M . . .the server 301 as described below. However, with such 

FIG. 4 illustrates a data processing system configured in freedom also comes less xauii within system 400 . For 

accordance with the present invention; example, a particular DLL may permit an application to 

FIG. 5 illustrates a matrix array showing a capability of corrupt another application, or even cause undesirable 

the present invention to assign various security levels with 30 actions to occur within kernel 201 and even hardware 102. 

respect to various apphcations and servers loaded onto the Consider example 1 for RAM based locks. Many appli- 

data processing system; cations such as GUI interfaces and database servers require 

FIG. 6 illustrates a flow diagram of a preferred embodi- global locks (shared between tasks). The tasks can gain a lot 

ment of the present invention; of performance by using locks that are based in shared 

FIG. 7 illustrates a memory tree showing various security 35 memory (RAM based) as opposed to based in a personality 

level versions of a dynamically linked library file; and 301. A lock, even one based in a personality 301, does not 

FIG. 8 illustrates a data processing system configurable in take much time - ^ S ain from the frequency these 

accordance with the present invention. locks are used (percent of total time is dependent on the time 

of a service times the frequency of use). A RAM based lock 

DETAILED DESCRIPTION OF A PREFERRED 40 can frequently be grabbed in a few instructions whereas a 

EMBODIMENT OF THE INVENTION message to a personality 301, typically requires several 

_ . . „ . . . . .„ . hundred instructions. One problem is that an erroneous task 

In the foUowmgdescr.pt.OB numerous specific details are can wri , e raDdom , m Q me and fa the ^ 

set forth to prov.de a thorough understanding of the present ^ ^ over , lock variable ^ ^ resul , in otbef 

invention. However, it will be obvious to those skuUed in the ^ tasks „ , ne lock fa ^ wUh , he resuJ( tha( M , he 

art that the present invention may be practiced without such hcalions .. hang on a lock - lhat never 5e freed . 

specific detail* In other instances, well-known circuite have b , em occU[s w[]en a task lern)inates wMle 

been shown in block diagram form in order not to obscure hddi a ^ based ^.^rfy the system has no way 

the present invention in unnecessary detail. For the most of D0W tQ c[ear mese based locks and ^ 

part, details concerning timing considerations and the luce omer tasks ^ i<ha< , There afe four obvk)us levek 

have been omitted inasmuch as such details are not neces- ofseC urity here. Hie first level is a low level of security with 

sary to obtain a complete understanding ot the present (he b , ems memioned . ^ second would be a hieh level 

invention and are within the skills of persons of ordinary of whefe ^ (asks do ^ ^ ^ semaphores and 

skill in the relevant art. gQ tQ me personality 3 01 for each lock aclion and lDUS avoid 

Refer now to the drawings wherein depicted elements are 55 a rj the problems above. The third is an intermediate solution 

not necessarily shown to scale and wherein like or similar whereby the tasks register locks with the personality 301, 

elements are designated by the same reference numeral which can then monitor tasks and clean up locks after well 

through the several views. behaved tasks terminate or return locks to a known state and 

Referring to FIG. 4, there is illustrated data processing broadcast the reset to clients when a task accidently over- 
system 400 comprising hardware 102, kernel 201, server 60 writes the locks. A fourth solution which lies between the 
301, and applications 103 and 104, similarly as discussed second and third levels of security, is to piggy back the lock 
above with respect to FIG. 3. Server 301 may implement the semantics on a safe kernel based package, 
semantics of any one of various available operating systems, Also, consider example 2 for video buffers. Graphical 
such as OS/2, AIX 4.0, NT, UNIX, etc. apphcations can desire very high-speed manipulation of bits 

As apphcations 103 and 104 are loaded, dynamically 65 on the computer video display, for example to rotate a 

linked libraries 401, 402, respectively, are loaded along with picture. If the application is given direct access to the video 

the applications 103 and 104. Dynamically linked libraries hardware by enabling access to the video memory and I/O 
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registers in the library, the bits can be updated more quickly to ensure that an application that receives DLL File A is not 

than if a message between tasks requiring several hundred able to do certain tasks, and as a result affect certain portions 

instructions is used. However, if the application is able to of system 400, while such tasks may be allowed by the other 

write on the video hardware at any time, it may draw over mrec security levels. As may be readily seen, one application 

what another application (including the kernel) is drawing to 5 may be provided with a DLL File A having security level 1, 

the screen. while another application may be provided with a security 

•« • j • ui • u ui . u j-4t . level 3 version of the same DLL File A. The programmer 

Additionally it is desirable to be able to have different and/of administrator of system 400 can set the 

security levels for different applications running on system ^ ^ M ^ desire / b determining which 

400. Suggested levels of security (actual choice of levels is ^ coded ^ are or are not t0 ^ p f0vided to certain appli . 

subjective): cations. Once it has been determined what capabilities to 

Level 1: The tasks of an application have direct access to provide to a particular application, then the DLL file 

the resources of all applications and system resources requested by that application can be modified to the desired 

(ports, devices, kernel memory, . . . ). security level. Then, upon loading of the application, the 

Level 2: The tasks of an application have direct access to DLL ^ required by the application will be loaded along 

the resources of all applications, but limited access to 15 ^th the application, relative to the desired security level, 

system resources (must be granted access on a case- .„ Referring to FIG. 6, there is illustrated a flow diagram 

bv-case basis} illustrating this process. The flow begins with step 601 and 

r , * m ,■ . proceeds to step 602 wherein the particular applications 103, 

Level 3: The tasks of application have direct access to the m {s loaded ^ memory by system m Next> M st ^ 

resources of all applications under the same personality 20 the syslem xmhBS a ^riiy ^ for the application 103, 

301, but limited access to system resources. i n olher wordS) a security file can be maintained within 

Level 4: The tasks of an application have direct access to system 400 (ie., server 300) which lists the various security 

the resources of all tasks for one application, but levels that are to be provided to particular applications 103, 

limited access to system resources or other applica- 104. When a particular applications 103, 104 is loaded onto 

tions. 25 svstein 400, server 301 will search the security file for 

Level 5: A task has direct access to the resources of only applications 103, 104 to determine what security level 

that task, but limited access to system resources or applications 103 104 is to receive. In step 604, the system 

other tasks determines whether or not a secunty file for applications 

u n . . _ M „ „„„ r Atu\+„ 1^4 has been found. If yes, the system 400 proceeds to 

It may also be desirable to permit a user of system 400 to A . A 4 , -„ i , i * * L T i r j 

j - • . r . * \ c - step 605 to set the secunty level equal to the level found 

dynamically change the security level for various 30 % ftl f 3 ,. ^ AM iA/1 ™ ft 

J J , & within the security file for applications 103, 104. Thereafter, 

applications, such as applications 103 and 104. al ^ ^ Q ^ Qr more ^ LLs mred or requested, by 

In order to implement such varying levels of secunty, it is a p plicalions i 03 , 104 are determined. In step 607, the path, 

required that system 400 implement a machine that provides such ^ the one illustrated m pjQ 7> ^ searched for the 

address space protection, which is well-known in the art. It requested DLL file(s) having the security level set in step 

is also required that system 400 employ a dynamic loading 35 g()5. As illustrated in FIG. 4, applications 103, 104 has been 

mechanism where references are resolved at run time to a loaded along with DLL file 401, 402 having a level 3, 1 

library. Also required are references which are candidates or security. If in step 605, the security level had been set to a 

library references in the client application. different level, that the DLL file(s) associated with that 

As a result of an ability for a user to dynamically vary security level 1 (FIG. 7) would have been loaded instead. In 

security levels for various applications, varying and pro- 40 step 608, system 400 determines whether or not the particu- 

grammable levels of security may be implemented within lar DLL file having the desired security level has been found, 

system 400. For example, a very high security level will If yes, the process proceeds to step 609 to load the DLL 

require that an application pass all messaging through server file(s) having the desired security level along with applica- 

301 before the message is able to reach any other tions 103, 104. The process ends at step 613. 

application, kernel 201 or the hardware 102. A second level 45 In step 604 applications 103, 104 is not found within the 

of security may be implemented, or encoded, to ensure that security file list, or if within step 608 the desired DLL file is 

a particular application does not corrupt system 400. A third not found, the process proceeds to step 610 to search a 

level may be encoded so that a particular application may default path for a DLL having a default security level. Next, 

only corrupt applications of a particular user. Yet another at step 611, it is determined whether or not the default DLL 

security level may be encoded so that a particular applica- 50 file has been found. If yes, the process proceeds to step 612 

tion is only able to corrupt, or effect, itself, while even a to load the default DLL file. If the default DLL file is not 

more stringent security level will even protect the applica- found, the process proceeds to step 614, wherein a load error 

tion from itself. The variation in levels is programmable by has occurred. 

the user. Referring next to FIG. 4, applications 103 is shown 

As it is well known in the art, an application often requires 55 having been loaded along with DLL file 401 having a level 

one or more DLLs in order to interact with the remainder of 3 security, while applications 104, which may or may not be 

the data processing system 400. Thus, the present invention the same or similar to application 103, has been loaded with 

encodes various security levels along with the DLLs DLL file 402 having a level 1 security. Server 301 imple- 

required, or requested, by a particular application. ments four levels of security. In this example, security level 

Referring to FIG. 7, there is shown a representation of 60 1 is a more stringent security level than levels 2, 3, and 4. 

how varying security levels may be implemented with Since DLL file 401 has a level 3 security, application 103 

respect to a particular DLL File A. Shown are four different will have "some" capability to perform tasks on its own 

security levels that may be associated with DLL File A. without requiring assistance from server 301, while appli- 

Security level 1 may be the most stringent security level, cation 104 will require assistance from server 301 more 

while security level 4 may be the least stringent security 65 often than application 103 since DLL file 402, having a 

level. As a result, particular codes may be removed (or security level 1, has an ability to only do a "few" tasks on 

added) from the security level 1 version of the DLL File A its own. 
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A further example will help illustrate the above imple- 
mentation of service levels. Assume application 103 resides 
on a disk and references DLL File A, which communicates 
with server 301. Three versions of DLL File A exist corre- 
sponding to three different levels of client -side processing. 5 
The user of system 400 can specify the desired security level 
using an interface. A text file may be utilized, but a more 
elaborate graphical user interface may be implemented to 
permit a user to set security levels to various applications, 
and to modify the security levels as desired. Once applica- 
tion 103 is loaded, it is linked to one of the three different 
levels of DLL File A. To application 103, the interfaces to 
DLL File A are the same regardless of the various security 
levels. Server 301 is designed to handle the three security 
levels. If application 103 is using a communication network, 
as an example, DLL File A may provide the communication 15 
interfaces needed. A most secure version of DLL File A(e.g., 
security level 1) might send all requests for communications 
to server 301 from application 103, which could then verify 
them before allowing such communications to proceed. The 
second most secure version of the DLL File A might be 20 
encoded to send communications connection requests to 
server 301, but would be able to read/write directly to the 
connection once it is opened. The least secure library might 
be encoded to allow application 103 to open, read and write 
directly to the particular device within hardware 102 25 
required for the communications desired. 

Referring to FIG. 5, there is illustrated a matrix illustrat- 
ing how a data processing system employing a plurality of 
servers and implementing a plurality of applications can be 
encoded so that a particular server may implement two 30 
different security levels for a particular DLL file for two 
different applications, and the system may be programmed 
so that two separate servers implement two different security 
levels for the same application. As illustrated, server A 
implements a security level 3 for application 1 while imple- 35 
menting a security level 2 for application 2. Server B 
implements security level 4 for application 1 and security 
level 1 for application 2. Thus, application 1 has one 
particular security level when loaded by server A, and has a 
security level 4 when application 1 is loaded by server B. 40 

A representative hardware environment 102 for practicing 
the present invention is depicted in FIG. 8, which illustrates 
a typical hardware configuration 102 of a workstation in 
accordance with the subject invention having central pro- 
cessing unit 10, such as a conventional microprocessor, and 45 
a number of other units interconnected via system bus 12. 
The workstation shown in FIG, 8 includes random access 
memory (RAM) 14, read only memory (ROM) 16, and 
input/output (I/O) adapter 18 for connecting peripheral 
devices such as disk units 20 and tape drives 40 to bus 12, 50 
user interface adapter 22 for connecting keyboard 24, mouse 
26 and/or other user interface devices such as a touch screen 
device (not shown) to bus 12, communication adapter 34 for 
connecting the workstation to a data processing network, 
and display adapter 36 for connecting bus 12 to display 55 
device 38. Applications 103, 104 and DLLs 401, 402, and 
server 301, and the various security levels for any one 
particular DLL file as illustrated in FIG. 7, may be stored on 
disk units 20 or tape drives 40 and may then be loaded into 
RAM 14. Kernel 201 may be stored within disk units 20, 60 
tape drives 40, RAM 14 or ROM 16. Implementation of the 
various security levels for various DLLs may be performed 
by a user using keyboard 24, display 38 and any other user 
interface devices that may be implemented with hardware 
102. 65 

With the foregoing hardware in mind, it is possible to 
explain the process-related features of the present invention. 
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To more clearly describe these features of the present 
invention, discussion of other conventional features is omit- 
ted as being apparent to those skilled in the art. It is assumed 
that those skilled in the art are familiar with a multiuser, 
multiprocessor operating system, and in particular with the 
requirements of such an operating system for memory 
management including virtual memory, processor 
scheduling, synchronization facilities for both processes and 
processors, message passing, ordinary device drivers, ter- 
minal and network support, system initialization, interrupt 
management, system call facilities, and administrative 
facilities. 

Although the present invention and its advantages have 
been described in detail, it should be understood that various 
changes, substitutions and alterations can be made herein 
without departing from the spirit and scope of the invention 
as defined by the appended claims. 

What is claimed is: 

1. A data processing system for setting desired security 
levels for application programs without modification of the 
application programs, said system comprising: 

a processor, input means, output means, and memory 
means coupled via a bus; means for storing a kernel and 
an operating system in said memory means; 

means for storing a plurality of different security level 
versions of selected ones of a plurality of dynamically 
linked libraries, wherein a security level determines an 
amount of interaction between said operating system 
and an application program; 

means for loading into said memory means a first appli- 
cation program; 

means for storing said first application program in said 
memory means; 

means for determining a security level for said first 
application program; 

means for determining which of said selected ones of a 
plurality of dynamically linked libraries is requested by 
said first application program; 

means for retrieving, without modifying said first appli- 
cation program, one of said selected ones of a plurality 
of dynamically linked libraries which incorporates said 
desired security level for said first application program, 
wherein said retrieved one of said selected ones of a 
plurality of dynamically linked libraries which incor- 
porates said desired security level corresponds to said 
dynamically linked library requested by said first appli- 
cation program; 

means for loading into said memory means said one of 
said selected ones of a plurality of dynamically linked 
libraries which incorporates said desired security level 
for said first application program; 

means for loading a dynamically linked library having a 
default security level when said one of said selected 
ones of a plurality of dynamically linked libraries 
which incorporates said desired security level for said 
first application program is not retrievable; 

means for loading into said memory means said dynami- 
cally linked library having a default security level when 
said desired security level for said first application 
program cannot be determined; 

means for loading into said memory means a message 
stub which allows said operating system, which loaded 
said first application program, to support said desired 
security level for said first application program; 

means for loading into said memory means a second 
application program; 
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means for storing said second application program in said 
memory means; 

means for determining what is the desired security level 
for said second application program; 

means for determining which of said selected ones of a 
plurality of dynamically linked libraries is requested by 
said second application program; 

means for retrieving, without modifying said second 
application program, one of said selected ones of a 
plurality of dynamically linked libraries which incor- 
porates said desired security level for said second 
application program, wherein said retrieved one of said 
selected ones of a plurality of dynamically linked 
libraries which incorporates said desired security level 
corresponds to said dynamically linked library 
requested by said second application program; 

means for loading into said memory means said one of 
said selected ones of a plurality of dynamically linked 
libraries which incorporates said desired security level 
for said second application program; 

means for loading into said memory means a dynamically 
linked library having a default security level when said 
one of said selected ones of a plurality of dynamically 
linked libraries which incorporates said desired secu- 
rity level, for said second application program is not 
retrievable; 

means for loading into said memory means said dynami- 
cally linked library having a default security level when 
said desired security level for said second application 
program cannot be determined; and 

means for loading into said memory means a message 
stub which allows said operating system, which loaded 
said second application program, to support said 
desired security level for said second application pro- 
gram. 

2. The system as recited in claim 1, wherein said desired 
security level for said second application program is differ- 
ent than said desired security level for said first application 
program. 

3. The system as recited in claim 1, further comprising: 
means for storing a second operating system in said 

memory means, wherein said second operating system 
loads said second application program, wherein said 
first and second application programs are identical 
application programs, and wherein said desired security 
level for said second application program is different 
than said desired security level for said first application 
program. 

4. A data processing system comprising: 

a processor, input means, output means, and memory 
means coupled via a bus; 

means for storing a kernel and an operating system in said 
memory means; 

means for storing one or more application programs in 
said memory means; 

means for defining one or more security levels; 

means for storing one or more dynamically linked librar- 
ies in said memory means, each dynamically linked 
library associated with one of the defined security 
levels; 

means for loading an application program; and 
means for linking, without modifying the application 
program, one or more of the dynamically linked librar- 
ies to an application program when the application 



program is loaded, wherein the security level of each 
dynamically linked library linked to the application 
program is a desired security level of the application 
program, and wherein the security level of each 
5 dynamically linked library determines a degree of 
access the application program has to one or more 
system resources, and wherein each time the applica- 
tion program is loaded, it may be linked to different 
dynamically finked libraries at different security levels. 
J0 5. A system according to claim 4, wherein said means for 

loading further comprises means for determining the desired 

security level of the application program. 

6. A system according to claim 4, wherein said means for 
loading further comprises means for determining which 
dynamically linked libraries are requested by the application 

15 program. 

7. A system according to claim 4, further comprising: 
means for storing plural copies of each dynamically 

linked library, wherein each copy of a particular 
dynamically linked library is associated with a different 
20 one of the defined security levels. 

8. A system according to claim 4 wherein each defined 
security level determines an amount of interaction between 
said operating system and said application program. 

9. A system according to claim 4, further comprising 
means for supporting each of the defined security levels, said 
supporting means stored in association with said operating 
system. 

10. A system according to claim 5, further comprising: 
when the desired security level of an application program 

can not be determined, means for linking one or more 
of the dynamically linked libraries to the application 
program, wherein the security level of each dynami- 
cally linked library is a default security level. 

11. A system according to claim 7, further comprising: 
when a dynamically linked library requested by the appli- 
cation program is not retrievable at the desired security 
level of the application program, means for linking the 
requested dynamically linked library at a default secu- 

40 rity level. 

12. In a data processing system, a method for setting a 
desired security level for an application program, said 
method comprising the steps of: 

defining one or more security levels; 

45 storing one or more dynamically linked libraries, each 
dynamically linked library associated with one of the 
defined security levels; 
loading the application program; and 
linking, without modifying the application program, one 

50 or more of the dynamically linked libraries to the 
application program, wherein the security level of each 
dynamically linked library is the desired security level 
of the application program, and wherein the security 
level of each dynamically linked library determines a 

55 degree of access the application program has to one or 
more system resources, and wherein each time the 
application program is loaded, it may be linked to 
different dynamically linked libraries at different secu- 
rity levels. 

60 13. A method according to claim 12, wherein said loading 
step further comprises the step of determining the desired 
security level of the application program upon initiating said 
loading of the application program. 

14. A method according to claim 12, wherein said loading 

65 step further comprises the step of determining which 
dynamically linked libraries are requested by the application 
program. 
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15. A method according to claim 12, further comprising 
the step of: 

storing plural copies of each dynamically linked library, 
wherein each copy of a particular dynamically linked 
library is associated with a different one of the defined 
security levels. 

16. A method according to claim 12 wherein said defining 
step comprises defining one or more security levels wherein 
each defined security level determines an amount of inter- 
action between said operating system and said application 
program. 

17. A method according to claim 13, further comprising 
the step of: 

when the desired security level of the application program 
can not be determined, linking one or more of the 
dynamically linked libraries to the application program, 
wherein the security level of each dynamically linked 
library is a default security level. 

18. A method according to claim 14, further comprising 
the step of: 

when a dynamically lined library requested by the appli- 
cation program is not retrievable at the desired security 
level of the application program, linking the requested 
dynamically linked library at a default security level. 

19. In a data processing system, a method for setting a 
desired security level for an application program, said 
method comprising: 

storing a kernel and an operating system in a memory 
means; 

storing a plurality of different security level versions of 
selected ones of a plurality of dynamically linked 
libraries, wherein a security level determines an 
amount of interaction between said operating system 
and an application program; 

loading into said memory means an application program; 

storing said application program in said memory means; 
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determining a security level for said application program; 

determining which of said selected ones of a plurality of 
dynamically linked libraries is requested by said appli- 
cation program; 

retrieving, without modifying said application program, 
one of said selected ones of a plurality of dynamically 
linked libraries which incorporates said desired secu- 
rity level for said application program, wherein said 
retrieved one of said selected ones of a plurality of 
dynamically linked libraries which incorporates said 
desired security level corresponds to said dynamically 
linked library requested by said application program; 
and 

loading into said memory means said one of said selected 
ones of a plurality of dynamically linked libraries 
which incorporates said desired security level for said 
application program. 

20. The method of claim 19, further comprising: 
loading a dynamically linked library having a default 

security level when said one of said selected ones of a 
plurality of dynamically linked libraries which incor- 
porates said desired security level for said application 
program is not retrievable. 

21. The method of claim 20, further comprising: 
loading into said memory means said dynamically linked 

library having a default security level when said desired 
security level for said application program cannot be 
determined. 

22. The method of claim 19, further comprising: 
loading into said memory means a message stub which 

allows said operating system, which loaded said appli- 
cation program, to support said desired security level 
for said first application program. 
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